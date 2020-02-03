Google security engineers said last week that they successfully reduced the “patch gap” in Google Chrome from 33 days to just 15 days.

The term “patch gap” refers to the time required from the time a security issue is resolved in an open source library until the same fix ends up in software that uses that specific library.

In the current software landscape where many apps are dependent on open source components, the “patch gap” is considered a major security risk.

The reason is that when a security bug is fixed in an open source library, details about that bug become public, mainly because of the public nature and openness of most open source projects.

Hackers can then use details about these security errors to make exploits and launch attacks on software that is dependent on the vulnerable component before the software maker is given the opportunity to release a patch.

If the software maker has a fixed release schedule, with updates coming out every few weeks or months, the patch gap hackers can provide an attack window that most software projects cannot handle.

The Chrome web browser is one of those projects that are hit by a patch gap because it uses a large number of open source components – from the PDFium PDF display library to the V8 JavaScript engine, to name just a few.

In 2019, security researchers at Exodus Intelligence twice emphasized that the large patch gap of Chrome can be exploited by attackers.

First in April and then in September, Exodus researchers developed proof-of-concept exploit code for security bugs that were fixed in the V8 JavaScript engine and that still had to come downstream to the Chrome code base.

Google has taken note

The good news for Chrome users is that the Exodus team’s investigation of the topic and subsequent warnings did not go unheard of with the Chrome Security team.

In Chrome’s recently published quarterly security summary for Q4 2019, Google engineers said they have been working to narrow Chrome’s patch gap.

“We now release regular renewal versions every two weeks with the latest serious security solutions,” said Andrew R. Whalley, member of the Chrome Security team.

“This has reduced the median patch gap from 33 days in Chrome 76 to 15 days in Chrome 78, and we are continuing to work on improving it,” he added.

Chrome security updates every week?

As Whalley has explained, Google’s response was to narrow Chrome’s patch gap to release security solutions more frequently. Because Google plans to narrow the patch gap even more, it is likely that we will soon be able to see Chrome security solutions released weekly, as Google engineers are pushing critical security solutions from open source libraries to user’s Chrome browsers.

Because Chrome has a silent update mechanism that is enabled by default for all users, Chrome users in most cases do not need to take any action to receive the fixes.

Similar problems with “patch-gapping” also affect Google’s second major software project, the Android OS, which is also dependent on a large number of open source components. However, delivering security updates for Android is … a mess, to say the least.